Add option to build with control-flow integrity (CFI) enabled (--enable-cfi) #15145

issue practicalswift opened this issue on January 10, 2019
  1. practicalswift commented at 8:35 PM on January 10, 2019: contributor

    Add option to build with control-flow integrity (CFI) enabled (--enable-cfi).

    Control-flow integrity (CFI) is a very powerful exploit mitigation technique.

    CFI makes it harder for an attacker to redirect the flow of execution of a program.

    Like other exploit mitigations (ASLR, DEP, stack cookies, etc.) it reduces the probability of bugs turning into exploits.

  2. fanquake added the label Build system on Jan 10, 2019
  3. laanwj commented at 2:26 PM on January 18, 2019: member

    Any reason to make this a separate option instead of include it witn default --enable-hardening?

  4. practicalswift commented at 2:48 PM on January 18, 2019: contributor

    @laanwj My thinking was the could start with --enable-cfi and then move it to --enable-hardening after a while when people have played with it. But perhaps I'm too cautious :-)

  5. laanwj commented at 5:38 PM on January 18, 2019: member

    Big chance it's already possible to experiment with that without making a special case in the build system.

    For ex. if enabling this feature is a matter of enabling a flag to the C compiler, it can be passed using ./configure ... CFLAGS="..." CXXFLAGS="..."

  6. practicalswift commented at 11:49 AM on May 19, 2020: contributor

    Closing due to lack of interest/progress :)

  7. practicalswift closed this on May 19, 2020
  8. DrahtBot locked this on Feb 15, 2022
Contributors
practicalswiftlaanwj
Labels
Build system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me